[Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking

Sam Crawford samcrawford at gmail.com
Sun Aug 7 19:22:59 BST 2011

Hi Rob,

Thanks for the helpful information.

I see the rationale for changing the DNS server to handle this, but
then you have the problem of (a) having to have DNS servers relatively
near all of the users and (b) you miss out on some CDN relationships
your ISP may have with some of the big content providers (this seems
to be a common complaint for OpenDNS users). Of course, I realise I'd
just be moving the problem to the blocking servers, but the idea here
would be to set a high cache TTL so this would not be a significant

I also wish for the dnsmasq host to have some logic and act upon the
response from the server (so the logic couldn't be entirely
server-side). The server would return a set of TXT records (indicating
the classifications of the domains) if it were classified, and
NXDOMAIN otherwise. Based upon these classifications returned from the
server and *local* configuration of the host running dnsmasq, the
original client would then either be sent back the real response (from
the ISP server) or an A record pointing at the dnsmasq host (which
would also be running a small webserver with a static page, as you

Would appreciate any other thoughts you or anyone else had.

Thanks again,


On 7 August 2011 18:22, /dev/rob0 <rob0 at gmx.co.uk> wrote:
> On Sun, Aug 07, 2011 at 03:05:25PM +0100, Sam Crawford wrote:
>> I'm looking to selectively block certain domains using dnsmasq by
>> rewriting responses. I realise this can already be done statically
>> through config files, but I want this to be more dynamic and intend
>> to operate a set of DNS servers that maintains a list of blocked
> I think the thing to change in this grand scheme is what the set of
> DNS servers will return. They could be authoritative for blocked
> domains, and recursive for everything else. In that case no code
> hacks are necessary; you simply use these servers as the upstream
> servers for dnsmasq.
> It's also possible to use dnsmasq in this upstream role, loading
> a list of blocked domains as a hosts file, SIGHUP (IIRC) when it
> changes.
>> domains (as this will be (a) a large list and (b) be used by
>> numerous clients, so should be centrally managed). So, I'm imaging
>> the query flow would go a little like this:
>> 1) Client in LAN makes A query for www.example.com to dnsmasq
>> 2) dnsmasq forwards query to ISP-hosted resolver
>> 3) dnsmasq receives response from ISP-hosted resolver
>> 4) dnsmasq sends query to special DNS server to check for blocked status
>> 5) dnsmasq receives response from special 'blocked' DNS server
>> 6) If the query to the 'blocked' DNS server dnsmasq returns success (a
>> certain magic number), then return the real response to the user
>> (obtained in step 3), otherwise a spoofed address (e.g. localhost)
> What RRtype would this "magic number" be? My idea also requires no
> protocol-level hacks.
> Having done domain blocking before, I would recommend that the
> address returned for "A" query point to a special HTTP host with a
> page telling the user that the domain was blocked, and why. A simple
> static HTML page (which is also used as the 404 page) would suffice.
>> (Of course, I'd intend to introduce caching in steps 4/5 as
>> dnsmasq does normally for its forwarding functionality).
>> A couple of questions arise:
>> 1) Is this a sensible thing to be doing in dnsmasq? Is there
>> something else that does it natively that I've overlooked?
>> 2) Can anyone point me towards where I should start looking in
>> the source to incorporate the changes?
>> Any advice would be greatly appreciated. I've searched the mailing
>> list archives and couldn't find anything quite like this.
> DNS-level domain blocking is not a new idea. http://pgl.yoyo.org/as/
> was helpful in my project back in '05 or so. OpenDNS implements a
> domain blocking feature as well. http://www.malwaredomains.com/ may
> also be of interest.
> --
>    Offlist mail to this address is discarded unless
>    "/dev/rob0" or "not-spam" is in Subject: header
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list